President Joe Biden recently issued an Executive Order aimed at prioritizing cybersecurity and implementing new policies for strengthening information security practices and technologies. All organizations, both public and private, continue to face increasingly sophisticated cyberattacks, and as recent incidents with Colonial Pipeline and SolarWinds have shown, these attacks can have a widespread impact to everyday life across the globe. Ransomware attacks are expected to hit $6 trillion this year with tactics and techniques reaching new levels of sophistication.
The Executive Order signed on May 12, 2021, “Improving the Nation’s Cybersecurity”, calls for federal agencies to work more closely with the private sector to share information, strengthen cybersecurity practices, and deploy technologies that increase protections against cyberattacks. The high-level directives include:
- Creating new IT security rules for select federal contractors that provide information technology, operational technology, and information and communications technology. Revisions to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplementation (DFARS) will remove contractual barriers to sharing information about threats and risks and require prompt reporting of cybersecurity incidents (similar to the OCR’s HIPAA Breach Notification Rules).
- Requiring federal agencies to implement additional IT security measures – accelerating movement to zero test environments and secure cloud services, evaluating types and sensitivity of unclassified data, developing secure storage solutions, adopting multi-factor authentication, endpoint detection, and encryption – and establishing more robust training programs.
- Addressing supply chain risk and setting new NIST standards for commercial software development. Baseline security requirements built from industry best practices will be mandated for all software sold to the federal government. (This is where we will see significant change across the industry in overall security!)
- Creating a national review board that would convene following significant incidents to analyze what happened and provide recommendations.
- Standardizing the government’s incident response plan and developing operational procedures to be used in planning and conducting incident response activities.
The new requirements will work together with existing standards like the Cybersecurity Maturity Model Certification (CMMC) and National Institute of Standards and Technology (NIST) frameworks.
It is critical for all institutions to ensure they can successfully mitigate the risk of potential cyberattacks and have procedures in place for proactively responding to incidents. Although this Executive Order applies to federal agencies, it also applies to all organizations providing services/software to the federal government through contracts or grants, which means these requirements will trickle down to private industry as well.
The higher education industry has been working to encourage third-party service providers to implement and demonstrate proof of the security of their products through tools like the HECVAT. However, this action from the Federal Government may push software developers to become more accountable for meeting and complying with enhanced security requirements, and providing documentation of all components of their software, including elements from third parties. The Executive Order discusses the creation of a consumer software labeling program so the government (and private organizations as well) can quickly see a solution’s security rating. With increased transparency and information sharing across the supply chain, this should result in more secure environments for all.
If you review the full text, you will see that each proposed initiative has been assigned ambitious timelines for establishing frameworks, publishing guidelines, and adopting required technologies. All organizations should be taking note and evaluating their information security programs, and closely watching the federal guidance issued over the next several months.
Some additional guidance from the CampusGuard Security Advisor Team
[Hobby]: The past few months have brought us several high-profile cybersecurity incidents including the recent ransomware incident at Colonial Pipeline. This executive order is bold in its vison and could help prevent or limit the impact of similar future incidents, but at this point we’re waiting on the agencies to develop their recommendations to improve federal supply-chain cybersecurity. While the order only applies to the executive branch of the federal government, we should realize it is also an effort to influence the private sector through federal procurement practices, and that the government will continue to prioritize cybersecurity. If you’re involved in your organization’s information security or risk management programs, this means that you should begin prioritizing improvement efforts now rather than waiting on federal regulations to wind their way to you.